10 Microsoft 365 terms you need to know before choosing a license
By Michal Lampe Sørensen · 6 min read · 10 May 2026
Contents
TL;DR
Conditional Access, DLP, Intune, Defender, Purview, Copilot. Microsoft 365 licensing is full of terms that determine which plan you need. Here are the 10 most important, explained with licensing context.
Security and access
Conditional Access is policy-based access control. You set rules like: "Only managed devices can access Exchange" or "MFA required outside the office network." It requires Entra ID P1, included from Business Premium and E3. Without Conditional Access you only have basic MFA, no control over where or how users sign in.
Entra ID (formerly Azure AD) is Microsoft's cloud identity service. All M365 plans include the basic version. P1 (in Business Premium/E3) adds Conditional Access and group-based licensing. P2 (E5/E7 only) adds Identity Protection and Privileged Identity Management, relevant if you have administrators who should have time-limited access to critical systems.
MFA (Multi-Factor Authentication) is included in all plans via Security Defaults. But Security Defaults is all-or-nothing. If you want granular control, e.g. MFA only for external networks or only for specific apps, you need Conditional Access and therefore at minimum Business Premium.
Data protection and compliance
DLP (Data Loss Prevention) prevents sensitive data from being shared by mistake. For example, DLP can block an email containing social security numbers or credit card numbers. Basic DLP for Exchange and SharePoint is in Business Premium and E3. Endpoint DLP, which also covers local files and clipboard, requires E5.
Purview is Microsoft's compliance platform. Basic Purview (manual classification, simple DLP) is in E3. The full suite with automatic classification, Insider Risk Management, eDiscovery Premium and Communication Compliance is only in E5/E7. Relevant for organizations with GDPR requirements, legal hold obligations or regulatory requirements.
Sensitivity Labels classify and encrypt documents. You can manually set labels in E3 ("Confidential", "Internal"). Automatic labeling, where the system scans and classifies on its own, requires E5.
Device management and threat protection
Intune is Microsoft's cloud-based device management. MDM (Mobile Device Management) manages the entire device. MAM (Mobile Application Management) manages only apps, useful for BYOD. Both are in Business Premium and E3+. From July 2026, selected Intune Suite features (Remote Help, Advanced Analytics, and Intune Plan 2) are added to E3/E5, the full Intune Suite (with Cloud PKI, Advanced Analytics etc.) remains a separate add-on.
Defender is not one product but a family. Defender for Business is in Business Premium and covers endpoints for up to 300 users. Defender for Endpoint P1 is in E3 (basic endpoint protection). P2 is in E5 (advanced with automated investigation). Defender XDR in E5/E7 brings it all together, endpoints, email, identity, cloud apps, in one detection platform.
Security Copilot is AI-assisted threat analysis. It is not included in any Microsoft 365 plan, not even E5 or E7. SCUs (Security Compute Units) are purchased separately on a consumption basis and used as AI runtime when security analysts investigate incidents or generate reports.
AI and productivity
Microsoft 365 Copilot is the AI assistant that works directly in Word, Excel, Outlook and Teams with access to the company data the individual user has rights to via Microsoft Graph (not the entire organization's data). It costs $30/user/mo as an add-on to Business Standard+, E3 or E5. Included in E7 ($99/mo).
Copilot Chat (free in all plans except F1) answers questions based on web data, but has no access to your SharePoint, emails or Teams messages. The difference is crucial: Chat is a general AI assistant, Copilot is integrated into your workflow.
Agent 365 is Microsoft's AI agent platform for workflow automation. $15/user/mo as an add-on or included in E7. Enables building AI agents that can perform tasks across Teams, Outlook and SharePoint.
Teams Phone is cloud PBX directly in Teams. Included in Office 365 E5, M365 E5 and E7. Important: The Teams Phone license only includes the PBX functionality, actual PSTN calling requires either a Calling Plan ($12-24/mo), Operator Connect or Direct Routing to an SBC.
What does this mean for your license choice?
Most licensing decisions boil down to three questions:
Do you need Conditional Access and Intune? Yes → minimum Business Premium ($22) or E3 ($39).
Do you need advanced threat detection or compliance? Defender XDR, Insider Risk, Endpoint DLP, eDiscovery Premium → E5 ($60).
Do you want Copilot integrated in Office apps? Add-on for $30/mo, or E7 ($99) which includes it along with everything in E5.
Look up all 39 terms in our glossary, or use Feature Lookup to find which plan includes a specific function.
Frequently asked questions
What's the difference between MDM and MAM in Intune?+
MDM (Mobile Device Management) controls the entire device: remote wipe, password policies, OS updates. MAM (Mobile Application Management) only manages company apps and data, useful on BYOD devices where you don't want to control the user's personal phone. Both are in Business Premium and E3+.
What is an SCU (Security Compute Unit)?+
SCU is Microsoft's consumption unit for Security Copilot. Roughly 1 SCU equals an analyst session of 5-10 minutes. Price ~$4/SCU/hour. E5 and E7 get embedded Security Copilot capped at 400 SCU per 1,000 users, max 10,000 SCU/mo per tenant. Extra consumption purchased separately.
What's the difference between Defender for Business and Defender XDR?+
Defender for Business (in Business Premium) is endpoint protection with light EDR for organizations up to 300 users. Defender XDR (in E5/E7) is enterprise-grade SOC in one: correlates threats across endpoints, email, identity, and cloud apps, with automatic investigation and response.